07-05-2012 03:20 AM - edited 03-10-2019 05:43 AM
Hi,
we have IDSM configured to block (shun) for some signatures with FWSM.
when sig 3002 is fired , the attacker is shun by FWSM but the issue is sig 3001 is fired and shun the victim which is internal normal user.
any suggestions,
07-10-2012 12:01 AM
Hello,
Can you paste the event here? When the signature is fired?
Mike
07-15-2012 05:24 AM
the sig 3002 fire based on port scan from attacker (test) and then the sig 3001 fire on victim.
i need to know how can i make FWSM shun the connection only not the host , i tried to set the event action to "block conection" instead of "block host" but it didn't work.
07-15-2012 11:40 AM
Hello Ibrahim,
As Maykol said can you paste the event here, we will like to see all the details, Also you are telling us you removed the action for deny attacker inline and add it deny connection inline, apply it and nothing happens? Right?
Please paste the event,
Julio
07-16-2012 03:01 AM
no it is IDS not inline , i changed the action from "block host" to "block coneection" to make "shun" on FWSM for this connection instead of shun all connections for this host.
Severity | Date | Time | Device | Sig. Name | Sig. ID | Attacker IP | Victim IP | Actions Taken | Vicitm Port | Threat Rating | Risk Rating | Reputation |
medium | 7/3/2012 | 14:03:12 | BB2-IDSM | TCP Port Sweep | 3001/0 | Y | X | shunRequested, blockConnectionRequested | 60767 | 65 | 85 | |
medium | 7/3/2012 | 14:06:54 | BB2-IDSM | TCP Port Sweep | 3001/0 | y | x | shunRequested, blockConnectionRequested | 39992 | 65 | 85 | |
medium | 7/3/2012 | 14:07:04 | BB2-IDSM | TCP Port Sweep | 3001/0 | y | x | shunRequested, blockConnectionRequested | 54653 | 65 | 85 | |
medium | 7/3/2012 | 14:07:19 | BB2-IDSM | TCP Port Sweep | 3001/0 | y | x | shunRequested, blockConnectionRequested | 58554 | 65 | 85 | |
medium | 7/3/2012 | 14:08:14 | BB2-IDSM | TCP Source Port 0 | 24199/0 | 10.20.30.25 | x | 40219 | 85 | 85 |
Severity | Date | Time | Device | Sig. Name | Sig. ID | Attacker IP | Victim IP | Actions Taken | Vicitm Port | Threat Rating | Risk Rating | Reputation |
low | 7/3/2012 | 14:03:12 | BB2-IDSM | TCP SYN Port Sweep | 3002/0 | X | Y | shunRequested, blockConnectionRequested | 32 | 52 | ||
low | 7/3/2012 | 14:06:53 | BB2-IDSM | TCP SYN Port Sweep | 3002/0 | x | Y | shunRequested, blockConnectionRequested | 32 | 52 | ||
low | 7/3/2012 | 14:07:03 | BB2-IDSM | TCP SYN Port Sweep | 3002/0 | x | y | shunRequested, blockConnectionRequested | 32 | 52 | ||
low | 7/3/2012 | 14:07:19 | BB2-IDSM | TCP SYN Port Sweep | 3002/0 | x | Y | shunRequested, blockConnectionRequested | 32 | 52 | ||
high | 7/3/2012 | 14:07:30 | BB2-IDSM | VxWorks Remote Debug Interface | 28779/0 | x | Y | shunRequested, blockConnectionRequested | 17185 | 60 | 80 | |
high | 7/3/2012 | 14:07:47 | BB2-IDSM | Nmap UDP Port Sweep | 4003/0 | x | Y | shunRequested, blockConnectionRequested | 55 | 75 | ||
high | 7/3/2012 | 14:08:34 | BB2-IDSM | Nmap UDP Port Sweep | 4003/0 | x | Y | shunRequested, blockConnectionRequested | 55 | 75 | ||
high | 7/3/2012 | 14:11:10 | BB2-IDSM | ICMP Network Sweep w/Timestamp | 2101/0 | x | Y | shunRequested, denyPacketRequestedNotPerformed, blockConnectionRequested | 80 | 100 | ||
high | 7/3/2012 | 14:12:12 | BB2-IDSM | ICMP Network Sweep w/Address Mask | 2102/0 | x | y | shunRequested, denyPacketRequestedNotPerformed, blockConnectionRequested | 80 | 100 |
07-16-2012 07:44 PM
Hello Ibrahim,
I would say it is being denied due to an event action override ( see the high Risk rating)
Is it a possibility to unassigned the signature, retired it and then put it back on one more time.
Can you let us know what are the actions assigned to this signature over the signature policy?
Regards,
07-22-2012 03:55 AM
Hello Jcarvaja,
i need to confirm that if i configured this signature to "block connection" , the FWSM will shun connection only.
the case is the FWSM shun host so it will deny all traffic from this host.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: